1/* $OpenBSD: ssl_sigalgs.c,v 1.49 2024/02/03 15:58:34 beck Exp $ */ 2/* 3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and/or distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 13 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 15 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 16 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <string.h> 20#include <stdlib.h> 21 22#include <openssl/evp.h> 23#include <openssl/opensslconf.h> 24 25#include "bytestring.h" 26#include "ssl_local.h" 27#include "ssl_sigalgs.h" 28#include "tls13_internal.h" 29 30const struct ssl_sigalg sigalgs[] = { 31 { 32 .value = SIGALG_RSA_PKCS1_SHA512, 33 .key_type = EVP_PKEY_RSA, 34 .md = EVP_sha512, 35 .security_level = 5, 36 }, 37 { 38 .value = SIGALG_ECDSA_SECP521R1_SHA512, 39 .key_type = EVP_PKEY_EC, 40 .md = EVP_sha512, 41 .security_level = 5, 42 .group_nid = NID_secp521r1, 43 }, 44 { 45 .value = SIGALG_RSA_PKCS1_SHA384, 46 .key_type = EVP_PKEY_RSA, 47 .md = EVP_sha384, 48 .security_level = 4, 49 }, 50 { 51 .value = SIGALG_ECDSA_SECP384R1_SHA384, 52 .key_type = EVP_PKEY_EC, 53 .md = EVP_sha384, 54 .security_level = 4, 55 .group_nid = NID_secp384r1, 56 }, 57 { 58 .value = SIGALG_RSA_PKCS1_SHA256, 59 .key_type = EVP_PKEY_RSA, 60 .md = EVP_sha256, 61 .security_level = 3, 62 }, 63 { 64 .value = SIGALG_ECDSA_SECP256R1_SHA256, 65 .key_type = EVP_PKEY_EC, 66 .md = EVP_sha256, 67 .security_level = 3, 68 .group_nid = NID_X9_62_prime256v1, 69 }, 70 { 71 .value = SIGALG_RSA_PSS_RSAE_SHA256, 72 .key_type = EVP_PKEY_RSA, 73 .md = EVP_sha256, 74 .security_level = 3, 75 .flags = SIGALG_FLAG_RSA_PSS, 76 }, 77 { 78 .value = SIGALG_RSA_PSS_RSAE_SHA384, 79 .key_type = EVP_PKEY_RSA, 80 .md = EVP_sha384, 81 .security_level = 4, 82 .flags = SIGALG_FLAG_RSA_PSS, 83 }, 84 { 85 .value = SIGALG_RSA_PSS_RSAE_SHA512, 86 .key_type = EVP_PKEY_RSA, 87 .md = EVP_sha512, 88 .security_level = 5, 89 .flags = SIGALG_FLAG_RSA_PSS, 90 }, 91 { 92 .value = SIGALG_RSA_PSS_PSS_SHA256, 93 .key_type = EVP_PKEY_RSA, 94 .md = EVP_sha256, 95 .security_level = 3, 96 .flags = SIGALG_FLAG_RSA_PSS, 97 }, 98 { 99 .value = SIGALG_RSA_PSS_PSS_SHA384, 100 .key_type = EVP_PKEY_RSA, 101 .md = EVP_sha384, 102 .security_level = 4, 103 .flags = SIGALG_FLAG_RSA_PSS, 104 }, 105 { 106 .value = SIGALG_RSA_PSS_PSS_SHA512, 107 .key_type = EVP_PKEY_RSA, 108 .md = EVP_sha512, 109 .security_level = 5, 110 .flags = SIGALG_FLAG_RSA_PSS, 111 }, 112 { 113 .value = SIGALG_RSA_PKCS1_SHA224, 114 .key_type = EVP_PKEY_RSA, 115 .md = EVP_sha224, 116 .security_level = 2, 117 }, 118 { 119 .value = SIGALG_ECDSA_SECP224R1_SHA224, 120 .key_type = EVP_PKEY_EC, 121 .md = EVP_sha224, 122 .security_level = 2, 123 }, 124 { 125 .value = SIGALG_RSA_PKCS1_SHA1, 126 .key_type = EVP_PKEY_RSA, 127 .md = EVP_sha1, 128 .security_level = 1, 129 }, 130 { 131 .value = SIGALG_ECDSA_SHA1, 132 .key_type = EVP_PKEY_EC, 133 .md = EVP_sha1, 134 .security_level = 1, 135 }, 136 { 137 .value = SIGALG_RSA_PKCS1_MD5_SHA1, 138 .key_type = EVP_PKEY_RSA, 139 .md = EVP_md5_sha1, 140 .security_level = 1, 141 }, 142 { 143 .value = SIGALG_NONE, 144 }, 145}; 146 147/* Sigalgs for TLSv1.3, in preference order. */ 148const uint16_t tls13_sigalgs[] = { 149 SIGALG_RSA_PSS_RSAE_SHA512, 150 SIGALG_RSA_PKCS1_SHA512, 151 SIGALG_ECDSA_SECP521R1_SHA512, 152 SIGALG_RSA_PSS_RSAE_SHA384, 153 SIGALG_RSA_PKCS1_SHA384, 154 SIGALG_ECDSA_SECP384R1_SHA384, 155 SIGALG_RSA_PSS_RSAE_SHA256, 156 SIGALG_RSA_PKCS1_SHA256, 157 SIGALG_ECDSA_SECP256R1_SHA256, 158}; 159const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0])); 160 161/* Sigalgs for TLSv1.2, in preference order. */ 162const uint16_t tls12_sigalgs[] = { 163 SIGALG_RSA_PSS_RSAE_SHA512, 164 SIGALG_RSA_PKCS1_SHA512, 165 SIGALG_ECDSA_SECP521R1_SHA512, 166 SIGALG_RSA_PSS_RSAE_SHA384, 167 SIGALG_RSA_PKCS1_SHA384, 168 SIGALG_ECDSA_SECP384R1_SHA384, 169 SIGALG_RSA_PSS_RSAE_SHA256, 170 SIGALG_RSA_PKCS1_SHA256, 171 SIGALG_ECDSA_SECP256R1_SHA256, 172 SIGALG_RSA_PKCS1_SHA1, /* XXX */ 173 SIGALG_ECDSA_SHA1, /* XXX */ 174}; 175const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); 176 177static void 178ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values, 179 size_t *out_len) 180{ 181 if (tls_version >= TLS1_3_VERSION) { 182 *out_values = tls13_sigalgs; 183 *out_len = tls13_sigalgs_len; 184 } else { 185 *out_values = tls12_sigalgs; 186 *out_len = tls12_sigalgs_len; 187 } 188} 189 190static const struct ssl_sigalg * 191ssl_sigalg_lookup(uint16_t value) 192{ 193 int i; 194 195 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) { 196 if (sigalgs[i].value == value) 197 return &sigalgs[i]; 198 } 199 200 return NULL; 201} 202 203static const struct ssl_sigalg * 204ssl_sigalg_from_value(SSL *s, uint16_t value) 205{ 206 const uint16_t *values; 207 size_t len; 208 int i; 209 210 ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version, 211 &values, &len); 212 213 for (i = 0; i < len; i++) { 214 if (values[i] == value) 215 return ssl_sigalg_lookup(value); 216 } 217 218 return NULL; 219} 220 221int 222ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level) 223{ 224 const struct ssl_sigalg *sigalg; 225 const uint16_t *values; 226 size_t len; 227 size_t i; 228 int ret = 0; 229 230 ssl_sigalgs_for_version(tls_version, &values, &len); 231 232 /* Add values in order as long as they are supported. */ 233 for (i = 0; i < len; i++) { 234 /* Do not allow the legacy value for < 1.2 to be used. */ 235 if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1) 236 return 0; 237 if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL) 238 return 0; 239 if (sigalg->security_level < security_level) 240 continue; 241 242 if (!CBB_add_u16(cbb, values[i])) 243 return 0; 244 245 ret = 1; 246 } 247 return ret; 248} 249 250static const struct ssl_sigalg * 251ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey) 252{ 253 if (SSL_get_security_level(s) > 1) 254 return NULL; 255 256 /* Default signature algorithms used for TLSv1.2 and earlier. */ 257 switch (EVP_PKEY_id(pkey)) { 258 case EVP_PKEY_RSA: 259 if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION) 260 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); 261 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); 262 case EVP_PKEY_EC: 263 return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); 264 } 265 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); 266 return NULL; 267} 268 269static int 270ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey) 271{ 272 if (sigalg == NULL || pkey == NULL) 273 return 0; 274 if (sigalg->key_type != EVP_PKEY_id(pkey)) 275 return 0; 276 277 /* RSA PSS must have a sufficiently large RSA key. */ 278 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) { 279 if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA || 280 EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2)) 281 return 0; 282 } 283 284 if (!ssl_security_sigalg_check(s, pkey)) 285 return 0; 286 287 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION) 288 return 1; 289 290 /* RSA cannot be used without PSS in TLSv1.3. */ 291 if (sigalg->key_type == EVP_PKEY_RSA && 292 (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0) 293 return 0; 294 295 /* Ensure that group matches for EC keys. */ 296 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { 297 if (sigalg->group_nid == 0) 298 return 0; 299 if (EC_GROUP_get_curve_name(EC_KEY_get0_group( 300 EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid) 301 return 0; 302 } 303 304 return 1; 305} 306 307const struct ssl_sigalg * 308ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) 309{ 310 CBS cbs; 311 312 if (!SSL_USE_SIGALGS(s)) 313 return ssl_sigalg_for_legacy(s, pkey); 314 315 /* 316 * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension, 317 * in which case the server must use the default. 318 */ 319 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 320 s->s3->hs.sigalgs == NULL) 321 return ssl_sigalg_for_legacy(s, pkey); 322 323 /* 324 * If we get here, we have client or server sent sigalgs, use one. 325 */ 326 CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 327 while (CBS_len(&cbs) > 0) { 328 const struct ssl_sigalg *sigalg; 329 uint16_t sigalg_value; 330 331 if (!CBS_get_u16(&cbs, &sigalg_value)) 332 return NULL; 333 334 if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) 335 continue; 336 if (ssl_sigalg_pkey_ok(s, sigalg, pkey)) 337 return sigalg; 338 } 339 340 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); 341 return NULL; 342} 343 344const struct ssl_sigalg * 345ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value) 346{ 347 const struct ssl_sigalg *sigalg; 348 349 if (!SSL_USE_SIGALGS(s)) 350 return ssl_sigalg_for_legacy(s, pkey); 351 352 if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) { 353 SSLerror(s, SSL_R_UNKNOWN_DIGEST); 354 return NULL; 355 } 356 if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) { 357 SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); 358 return NULL; 359 } 360 361 return sigalg; 362} 363